Data ProtectionData ProtectionWhat It Means to NA What It Means to NA

WebservantsWebservants

The Fourth Florida Service SymposiumThe Fourth Florida Service Symposium March 24-27, 2011, Tampa, Florida, USA

March 24-27, 2011, Tampa, Florida, USA

IT TrackIT TrackSession Number 4Session Number 4

What Is the Data Protection What Is the Data Protection Act?Act?

The European Union takes privacy very The European Union takes privacy very seriously.seriously.

•In 1998, they developed a data protection In 1998, they developed a data protection planplan

•This has the force of law, in most nationsThis has the force of law, in most nations

•It is known as the It is known as the DData ata PProtection rotection AAct (DPA)ct (DPA)

Eight Principles of the Eight Principles of the DPADPA

Personal data must be:Personal data must be:•Processed fairly and lawfullyProcessed fairly and lawfully•Obtained for specific and lawful purposesObtained for specific and lawful purposes•Adequate, relevant, and not excessiveAdequate, relevant, and not excessive•Accurate and up to dateAccurate and up to date•Kept no longer than necessaryKept no longer than necessary•Processed in accordance with the subject’s Processed in accordance with the subject’s rightsrights•Stored securelyStored securely•Not sent to any nation with lesser Not sent to any nation with lesser protectionprotection

Does the DPA Apply Does the DPA Apply to Us?to Us?

So, What do We Mean by So, What do We Mean by “Data”?“Data”?

• Information being processed by computers or Information being processed by computers or other data processing equipmentother data processing equipment

• Information collected for such processingInformation collected for such processing

• Information gathered to be stored in a system Information gathered to be stored in a system that is designed to allow access to itthat is designed to allow access to it

• Information that can be accessed laterInformation that can be accessed later

• Information held by public authoritiesInformation held by public authorities

What Is “Personal What Is “Personal Data”?Data”?

Very simply, it is any data that can Very simply, it is any data that can directly, or when cross-referenced with directly, or when cross-referenced with other data, identify an individual.other data, identify an individual.

Example of Cross-Example of Cross-ReferencingReferencing

Email header cross-referenced with access log:Email header cross-referenced with access log:

Return-path: <steve-a@somegodforsakenscottishrock.net>•••

Received: from ip-cust-50.somegodforsakenscottishrock.net([73.50.161.62])

Email Header:

73.50.161.62 - - [14/Feb/2011:22:08:05 -0500] "GET /pictures/midgets-having-sex/with-goats/banned-in-three-nations.jpg HTTP/1.1" 200 9613 "-" "Mozilla/5.0 (webOS/1.4.5; U; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Version/1.0 Safari/532.2 Pre/1.0"

Access Log:

In this case, the IP number was used to In this case, the IP number was used to correlate an email received, with content correlate an email received, with content being browsed.being browsed.

What Personal Data do We What Personal Data do We Hold?Hold?

• Personal NamesPersonal Names• IP AddressesIP Addresses• Telephone NumbersTelephone Numbers• Mailing AddressesMailing Addresses• Email AddressesEmail Addresses• Actual Email ContentActual Email Content• PasswordsPasswords

How Sensitive?How Sensitive?• Race and/or EthnicityRace and/or Ethnicity• PoliticsPolitics• ReligionReligion• Union MembershipUnion Membership• HealthHealth• SexSex• Criminal HistoryCriminal History

What is “Processing”What is “Processing”In a word, handling dataIn a word, handling data•Sending information by emailSending information by email•Sending information by postal mailSending information by postal mail•Verbally (phone, broadcast or in person)Verbally (phone, broadcast or in person)•Displaying data (not just computer Displaying data (not just computer display)display)•Fetching the data (can be getting a file Fetching the data (can be getting a file folder)folder)•Organizing the data (like in a file cabinet)Organizing the data (like in a file cabinet)

Computers make all the above easier, but Computers make all the above easier, but the definition goes beyond computers.the definition goes beyond computers.

Example of Example of “Processing”“Processing”

Giving someone a friend’s phone Giving someone a friend’s phone number over the phone.number over the phone.

Another ExampleAnother ExampleGossiping about someone, with personal Gossiping about someone, with personal information being exchanged verballyinformation being exchanged verbally

Rights and Rights and DutiesDuties

• The person The person to whom the data appliesto whom the data applies (not (not the person[s] currently in possession of the the person[s] currently in possession of the data) has data) has RIGHTSRIGHTS. These are . These are Data SubjectsData Subjects..

• The person[s] (or organization[s]) that The person[s] (or organization[s]) that processprocess the data, have the data, have DUTIESDUTIES. These are . These are Data ControllersData Controllers..

• A A Data Processor Data Processor is a person or organization is a person or organization that processes data on behalf of a that processes data on behalf of a Controller.Controller.

The Scary The Scary WordsWords

• The “R” Word: The “R” Word: RESPONSIBILITYRESPONSIBILITY

• The “A” Word: The “A” Word: ACCOUNTABILITYACCOUNTABILITY

Ignorance Is No Ignorance Is No ExcuseExcuse

Some useful links and Some useful links and further information:further information:

• UK Information Commissioner Office; http://www.ico.gov.uk/

• US Safe Harbor Framework; http://www.export.gov/safeharbor/eu/eg_main_018365.asp

• Development of Data Protection in Europe, an overview; http://www.dataprotection.eu/

• History of Data Protection in the US; http://www.privireal.org/content/dp/usa.php

• US Census Bureau Data Protection; (Contains useful links to US Data Protection Sites)• http://www.census.gov/privacy/data_protection/

Q&AQ&A